RE: iSCSI: SRP groups in Security-14 strawman

[Paul Koning <ni1d@arrl.net>]

>>>>> "Black" == Black David <Black_David@emc.com> writes:

 >> If I remember right, there are performance benefits in some bignum
 >> implementations to having a modulus with a bunch of leading and/or
 >> trailing 1 bits.  The IKE primes are constructed to achieve that,
 >> the SRP primes are not.  In other words, because of that
 >> construction there IS value in allowing those primes; the IKE
 >> primes are NOT superfluous and should be allowed whether or not
 >> there are primes in the SRP reference software package of the same
 >> size.  In other words, keep the 1024, 1536, and 2048 bit MODP
 >> primes, using the generator that Tom Wu identified.

 Black> Could you or someone double check on these performance impacts
 Black> and their magnitude?
 
I looked in RFC2412, which mentions the benefit but doesn't quantify
it.  I also looked in the Handbook of Applied Cryptography, which
describes a whole bunch of exponentiation algorithms.  I'm not well
enough versed in this stuff to translate the brief comment in RFC 2412
plus the algorithms in HAC into a specific percentage benefit.

I wonder if one of the SSH folks can help answer this, since they seem
to have the necessary technical skills.

     paul